On 08/01/13 10:31, Khapare Joshi wrote:
I am running on:
CENTOS6
samba-winbind-3.5.10-125.el6.x86_64
samba-3.5.10-125.el6.x86_64
samba-common-3.5.10-125.el6.x86_64
Ok. Unfortunately this isn't nearly enough data to speculate about what
your problems might be. To be honest, I don't even know what data
*would* tell us that - but it would certainly include your AD server OS
version and domain functional level.
But this is really off-topic - if you have Samba problems, the Samba
list is the place to discuss them.
and DEFAULT AUTH-Type = kerberos in users file.
No, this is wrong. Don't do this. It may stop you doing mschap.
If you *must* set Auth-Type, you need to ensure it's done correctly -
only set if unset, and if it's PAP - which can be done in unlang like so:
authorize {
...
eap
mschap
# if Auth-Type isn't set yet
if (!control:Auth-Type) {
# AND if it's a PAP request (contains User-Password)
if (User-Password) {
# use Kerberos
update control {
Auth-Type := kerberos
}
}
}
...
}
To make this work, I still have to configure samba, join radius server
to AD and so on for the AD authentication right ?
Yes.
but, kerberos only works with PAP, is there a security risk - what is
your view on this?
View on what?
Vague questions like "is there a security risk" don't really mean anything.
Let me answer a different question:
In my opinion, given current state-of-the-art in cryptography, TTLS/PAP
is not appreciably more or less secure than PEAP/MSCHAP. They both have
very similar security properties, and are close to identical at the
protocol level.
The use of TTLS/PAP provides more options in backend password storage /
authentication server, but that's separate from the security of the
protocol.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html